puppet 2.6.18 → 2.7.1

data/lib/puppet/network/handler/report.rb

@@ -1,7 +1,5 @@
 require 'puppet/util/instance_loader'
 require 'puppet/reports'
-require 'puppet/network/handler'
-require 'xmlrpc/server'
 
 # A simple server for triggering a new run on a Puppet client.
 class Puppet::Network::Handler

data/lib/puppet/network/handler/runner.rb

@@ -1,6 +1,4 @@
 require 'puppet/run'
-require 'puppet/network/handler'
-require 'xmlrpc/server'
 
 class Puppet::Network::Handler
   class MissingMasterError < RuntimeError; end # Cannot find the master client

data/lib/puppet/network/handler/status.rb

@@ -1,5 +1,3 @@
-require 'puppet/network/handler'
-require 'xmlrpc/server'
 class Puppet::Network::Handler
   class Status < Handler
     desc "A simple interface for testing Puppet connectivity."

data/lib/puppet/network/http/api/v1.rb

@@ -8,6 +8,9 @@ module Puppet::Network::HTTP::API::V1
       :plural => :search,
       :singular => :find
     },
+    "POST" => {
+      :singular => :find,
+    },
     "PUT" => {
       :singular => :save
     },
@@ -27,14 +30,13 @@ module Puppet::Network::HTTP::API::V1
 
     method = indirection_method(http_method, indirection)
 
-    params[:environment] = environment
-    params.delete(:bucket_path)
+    params[:environment] = Puppet::Node::Environment.new(environment)
 
     raise ArgumentError, "No request key specified in #{uri}" if key == "" or key.nil?
 
     key = URI.unescape(key)
 
-    Puppet::Indirector::Request.new(indirection, method, key, params)
+    [indirection, method, key, params]
   end
 
   def indirection2uri(request)
@@ -42,6 +44,11 @@ module Puppet::Network::HTTP::API::V1
     "/#{request.environment.to_s}/#{indirection}/#{request.escaped_key}#{request.query_string}"
   end
 
+  def request_to_uri_and_body(request)
+    indirection = request.method == :search ? pluralize(request.indirection_name.to_s) : request.indirection_name.to_s
+    ["/#{request.environment.to_s}/#{indirection}/#{request.escaped_key}", request.query_string.sub(/^\?/,'')]
+  end
+
   def indirection_method(http_method, indirection)
     raise ArgumentError, "No support for http method #{http_method}" unless METHOD_MAP[http_method]
 
@@ -62,6 +69,7 @@ module Puppet::Network::HTTP::API::V1
     # that leads to the fix being too long.
     return :singular if indirection == "facts"
     return :singular if indirection == "status"
+    return :singular if indirection == "certificate_status"
     return :plural if indirection == "inventory"
 
     result = (indirection =~ /s$|_search$/) ? :plural : :singular

data/lib/puppet/network/http/handler.rb

@@ -61,17 +61,15 @@ module Puppet::Network::HTTP::Handler
 
   # handle an HTTP request
   def process(request, response)
-    indirection_request = uri2indirection(http_method(request), path(request), params(request))
+    indirection, method, key, params = uri2indirection(http_method(request), path(request), params(request))
 
-    check_authorization(indirection_request)
+    check_authorization(indirection, method, key, params)
 
-    send("do_#{indirection_request.method}", indirection_request, request, response)
+    send("do_#{method}", indirection, key, params, request, response)
   rescue SystemExit,NoMemoryError
     raise
   rescue Exception => e
     return do_exception(response, e)
-  ensure
-    cleanup(request)
   end
 
   # Set the response up, with the body and status.
@@ -98,11 +96,16 @@ module Puppet::Network::HTTP::Handler
     set_response(response, exception.to_s, status)
   end
 
+  def model(indirection_name)
+    raise ArgumentError, "Could not find indirection '#{indirection_name}'" unless indirection = Puppet::Indirector::Indirection.instance(indirection_name.to_sym)
+    indirection.model
+  end
+
   # Execute our find.
-  def do_find(indirection_request, request, response)
-    unless result = indirection_request.model.find(indirection_request.key, indirection_request.to_hash)
-      Puppet.info("Could not find #{indirection_request.indirection_name} for '#{indirection_request.key}'")
-      return do_exception(response, "Could not find #{indirection_request.indirection_name} #{indirection_request.key}", 404)
+  def do_find(indirection_name, key, params, request, response)
+    unless result = model(indirection_name).indirection.find(key, params)
+      Puppet.info("Could not find #{indirection_name} for '#{key}'")
+      return do_exception(response, "Could not find #{indirection_name} #{key}", 404)
     end
 
     # The encoding of the result must include the format to use,
@@ -119,10 +122,10 @@ module Puppet::Network::HTTP::Handler
   end
 
   # Execute our head.
-  def do_head(indirection_request, request, response)
-    unless indirection_request.model.head(indirection_request.key, indirection_request.to_hash)
-      Puppet.info("Could not find #{indirection_request.indirection_name} for '#{indirection_request.key}'")
-      return do_exception(response, "Could not find #{indirection_request.indirection_name} #{indirection_request.key}", 404)
+  def do_head(indirection_name, key, params, request, response)
+    unless self.model(indirection_name).indirection.head(key, params)
+      Puppet.info("Could not find #{indirection_name} for '#{key}'")
+      return do_exception(response, "Could not find #{indirection_name} #{key}", 404)
     end
 
     # No need to set a response because no response is expected from a
@@ -130,37 +133,35 @@ module Puppet::Network::HTTP::Handler
   end
 
   # Execute our search.
-  def do_search(indirection_request, request, response)
-    result = indirection_request.model.search(indirection_request.key, indirection_request.to_hash)
+  def do_search(indirection_name, key, params, request, response)
+    model  = self.model(indirection_name)
+    result = model.indirection.search(key, params)
 
     if result.nil?
-      return do_exception(response, "Could not find instances in #{indirection_request.indirection_name} with '#{indirection_request.key}'", 404)
+      return do_exception(response, "Could not find instances in #{indirection_name} with '#{key}'", 404)
     end
 
     format = format_to_use(request)
     set_content_type(response, format)
 
-    set_response(response, indirection_request.model.render_multiple(format, result))
+    set_response(response, model.render_multiple(format, result))
   end
 
   # Execute our destroy.
-  def do_destroy(indirection_request, request, response)
-    result = indirection_request.model.destroy(indirection_request.key, indirection_request.to_hash)
+  def do_destroy(indirection_name, key, params, request, response)
+    result = model(indirection_name).indirection.destroy(key, params)
 
     return_yaml_response(response, result)
   end
 
   # Execute our save.
-  def do_save(indirection_request, request, response)
+  def do_save(indirection_name, key, params, request, response)
     data = body(request).to_s
     raise ArgumentError, "No data to save" if !data or data.empty?
 
     format = request_format(request)
-    obj = indirection_request.model.convert_from(format, data)
-    unless indirection_request.model === obj
-      raise ArgumentError, "Request data must be of type #{indirection_request.model.inspect}"
-    end
-    result = save_object(indirection_request, obj)
+    obj = model(indirection_name).convert_from(format, data)
+    result = model(indirection_name).indirection.save(obj, key)
     return_yaml_response(response, result)
   end
 
@@ -182,12 +183,6 @@ module Puppet::Network::HTTP::Handler
     set_response(response, body.to_yaml)
   end
 
-  # LAK:NOTE This has to be here for testing; it's a stub-point so
-  # we keep infinite recursion from happening.
-  def save_object(ind_request, object)
-    object.save(ind_request.key)
-  end
-
   def get?(request)
     http_method(request) == 'GET'
   end
@@ -222,10 +217,6 @@ module Puppet::Network::HTTP::Handler
     raise NotImplementedError
   end
 
-  def cleanup(request)
-    # By default, there is nothing to cleanup.
-  end
-
   def decode_params(params)
     params.inject({}) do |result, ary|
       param, value = ary

data/lib/puppet/network/http/rack/rest.rb

@@ -73,17 +73,12 @@ class Puppet::Network::HTTP::RackREST < Puppet::Network::HTTP::RackHttpHandler
   end
 
   # return the request body
+  # request.body has some limitiations, so we need to concat it back
+  # into a regular string, which is something puppet can use.
   def body(request)
     request.body.read
   end
 
-  # Passenger freaks out if we finish handling the request without reading any
-  # part of the body, so make sure we have.
-  def cleanup(request)
-    request.body.read(1)
-    nil
-  end
-
   def extract_client_info(request)
     result = {}
     result[:ip] = request.ip

data/lib/puppet/network/http/webrick.rb

@@ -104,9 +104,8 @@ class Puppet::Network::HTTP::WEBrick
     results[:SSLCertificate] = host.certificate.content
     results[:SSLStartImmediately] = true
     results[:SSLEnable] = true
-    results[:SSLOptions] = OpenSSL::SSL::OP_NO_SSLv2
 
-    raise Puppet::Error, "Could not find CA certificate" unless Puppet::SSL::Certificate.find(Puppet::SSL::CA_NAME)
+    raise Puppet::Error, "Could not find CA certificate" unless Puppet::SSL::Certificate.indirection.find(Puppet::SSL::CA_NAME)
 
     results[:SSLCACertificateFile] = Puppet[:localcacert]
     results[:SSLVerifyClient] = OpenSSL::SSL::VERIFY_PEER

data/lib/puppet/network/http_pool.rb

@@ -50,23 +50,14 @@ module Puppet::Network::HttpPool
 
   # Use cert information from a Puppet client to set up the http object.
   def self.cert_setup(http)
-    if FileTest.exist?(Puppet[:hostcert]) and FileTest.exist?(Puppet[:localcacert])
-      http.cert_store  = ssl_host.ssl_store
-      http.ca_file     = Puppet[:localcacert]
-      http.cert        = ssl_host.certificate.content
-      http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-      http.key         = ssl_host.key.content
-    else
-      # We don't have the local certificates, so we don't do any verification
-      # or setup at this early stage.  REVISIT: Shouldn't we supply the local
-      # certificate details if we have them?  The original code didn't.
-      # --daniel 2012-06-03
-
-      # Ruby 1.8 defaulted to this, but 1.9 defaults to peer verify, and we
-      # almost always talk to a dedicated, not-standard CA that isn't trusted
-      # out of the box.  This forces the expected state.
-      http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-    end
+    # Just no-op if we don't have certs.
+    return false unless FileTest.exist?(Puppet[:hostcert]) and FileTest.exist?(Puppet[:localcacert])
+
+    http.cert_store = ssl_host.ssl_store
+    http.ca_file = Puppet[:localcacert]
+    http.cert = ssl_host.certificate.content
+    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    http.key = ssl_host.key.content
   end
 
   # Retrieve a cached http instance if caching is enabled, else return

data/lib/puppet/network/http_server/mongrel.rb

@@ -127,3 +127,4 @@ module Puppet::Network
     end
   end
 end
+

data/lib/puppet/network/http_server/webrick.rb

@@ -0,0 +1,155 @@
+require 'puppet'
+require 'webrick'
+require 'webrick/https'
+require 'fcntl'
+
+require 'puppet/sslcertificates/support'
+require 'puppet/network/xmlrpc/webrick_servlet'
+require 'puppet/network/http_server'
+require 'puppet/network/client'
+require 'puppet/network/handler'
+
+module Puppet
+  class ServerError < RuntimeError; end
+  module Network
+    # The old-school, pure ruby webrick server, which is the default serving
+    # mechanism.
+    class HTTPServer::WEBrick < WEBrick::HTTPServer
+      include Puppet::SSLCertificates::Support
+
+      # Read the CA cert and CRL and populate an OpenSSL::X509::Store
+      # with them, with flags appropriate for checking client
+      # certificates for revocation
+      def x509store
+        unless File.exist?(Puppet[:cacrl])
+          # No CRL, no store needed
+          return nil
+        end
+        crl = OpenSSL::X509::CRL.new(File.read(Puppet[:cacrl]))
+        store = OpenSSL::X509::Store.new
+        store.purpose = OpenSSL::X509::PURPOSE_ANY
+        store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation]
+        raise Puppet::Error, "Could not find CA certificate" unless self.ca_cert
+
+        store.add_file(Puppet[:localcacert])
+        store.add_crl(crl)
+        store
+      end
+
+      # Set up the http log.
+      def httplog
+        args = []
+
+        # yuck; separate http logs
+        file = nil
+        Puppet.settings.use(:main, :ssl, Puppet[:name])
+        if Puppet.run_mode.master?
+          file = Puppet[:masterhttplog]
+        else
+          file = Puppet[:httplog]
+        end
+
+        # open the log manually to prevent file descriptor leak
+        file_io = open(file, "a+")
+        file_io.sync
+        file_io.fcntl(Fcntl::F_SETFD, Fcntl::FD_CLOEXEC)
+
+        args << file_io
+        args << WEBrick::Log::DEBUG if Puppet[:debug]
+
+        log = WEBrick::Log.new(*args)
+
+
+        log
+      end
+
+      # Create our server, yo.
+      def initialize(hash = {})
+        Puppet.info "Starting server for Puppet version #{Puppet.version}"
+
+        if handlers = hash[:Handlers]
+          handler_instances = setup_handlers(handlers)
+        else
+          raise ServerError, "A server must have handlers"
+        end
+
+        unless self.read_cert
+          if ca = handler_instances.find { |handler| handler.is_a?(Puppet::Network::Handler.ca) }
+            request_cert(ca)
+          else
+            raise Puppet::Error, "No certificate and no CA; cannot get cert"
+          end
+        end
+
+        setup_webrick(hash)
+
+        begin
+          super(hash)
+        rescue => detail
+          puts detail.backtrace if Puppet[:trace]
+          raise Puppet::Error, "Could not start WEBrick: #{detail}"
+        end
+
+        # make sure children don't inherit the sockets
+        listeners.each { |sock|
+          sock.fcntl(Fcntl::F_SETFD, Fcntl::FD_CLOEXEC)
+        }
+
+        Puppet.info "Listening on port #{hash[:Port]}"
+
+        # this creates a new servlet for every connection,
+        # but all servlets have the same list of handlers
+        # thus, the servlets can have their own state -- passing
+        # around the requests and such -- but the handlers
+        # have a global state
+
+        # mount has to be called after the server is initialized
+        servlet = Puppet::Network::XMLRPC::WEBrickServlet.new( handler_instances)
+        self.mount("/RPC2", servlet)
+      end
+
+      # Create a ca client to set up our cert for us.
+      def request_cert(ca)
+        client = Puppet::Network::Client.ca.new(:CA => ca)
+        raise Puppet::Error, "Could get certificate" unless client.request_cert
+      end
+
+      # Create all of our handler instances.
+      def setup_handlers(handlers)
+        raise ServerError, "Handlers must have arguments" unless handlers.is_a?(Hash)
+
+        handlers.collect { |handler, args|
+          hclass = nil
+          unless hclass = Puppet::Network::Handler.handler(handler)
+            raise ServerError, "Invalid handler #{handler}"
+          end
+          hclass.new(args)
+        }
+      end
+
+      # Handle all of the many webrick arguments.
+      def setup_webrick(hash)
+        hash[:Port] ||= Puppet[:masterport]
+        hash[:Logger] ||= self.httplog
+        hash[:AccessLog] ||= [
+          [ self.httplog, WEBrick::AccessLog::COMMON_LOG_FORMAT ],
+          [ self.httplog, WEBrick::AccessLog::REFERER_LOG_FORMAT ]
+        ]
+
+        hash[:SSLCertificateStore] = x509store
+        hash[:SSLCertificate] = self.cert
+        hash[:SSLPrivateKey] = self.key
+        hash[:SSLStartImmediately] = true
+        hash[:SSLEnable] = true
+        hash[:SSLCACertificateFile] = Puppet[:localcacert]
+        hash[:SSLVerifyClient] = OpenSSL::SSL::VERIFY_PEER
+        hash[:SSLCertName] = nil
+
+        if addr = Puppet[:bindaddress] and addr != ""
+          hash[:BindAddress] = addr
+        end
+      end
+    end
+  end
+end
+

data/lib/puppet/network/rest_authconfig.rb

@@ -8,11 +8,12 @@ module Puppet
 
     DEFAULT_ACL = [
       { :acl => "~ ^\/catalog\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
+      { :acl => "~ ^\/node\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true },
       # this one will allow all file access, and thus delegate
       # to fileserver.conf
       { :acl => "/file" },
       { :acl => "/certificate_revocation_list/ca", :method => :find, :authenticated => true },
-      { :acl => "~ ^\/report\/([^\/]+)$", :method => :save, :allow => '$1', :authenticated => true },
+      { :acl => "/report", :method => :save, :authenticated => true },
       { :acl => "/certificate/ca", :method => :find, :authenticated => false },
       { :acl => "/certificate/", :method => :find, :authenticated => false },
       { :acl => "/certificate_request", :method => [:find, :save], :authenticated => false },
@@ -31,14 +32,14 @@ module Puppet
     # check wether this request is allowed in our ACL
     # raise an Puppet::Network::AuthorizedError if the request
     # is denied.
-    def allowed?(request)
+    def allowed?(indirection, method, key, params)
       read
 
       # we're splitting the request in part because
       # fail_on_deny could as well be called in the XMLRPC context
       # with a ClientRequest.
 
-      if authorization_failure_exception = @rights.is_request_forbidden_and_why?(request)
+      if authorization_failure_exception = @rights.is_request_forbidden_and_why?(indirection, method, key, params)
         Puppet.warning("Denying access: #{authorization_failure_exception}")
         raise authorization_failure_exception
       end